Skip to main content
The ACME enrollment method lets any ACME client obtain TLS certificates from Infisical using the ACME protocol. This includes ACME clients like Certbot, cert-manager in Kubernetes using the ACME issuer type, and more. Infisical currently supports the HTTP-01 challenge type for domain validation as part of the ACME enrollment method.

Diagram

The following sequence diagram illustrates the certificate enrollment workflow for requesting a certificate via ACME from Infisical.

Guide

In the following steps, we explore an end-to-end workflow for obtaining a certificate via ACME with Infisical.
1

Configure a Certificate Authority

Before you can issue any certificate, you must first configure a Certificate Authority (CA).The CA you configure will be used to issue the certificate back to your client; it can be either Internal or External:
  • Internal CA: If you’re building your own PKI and wish to issue certificates for internal use, you should follow the guide here to create at minimum a root CA and an intermediate/issuing CA within Infisical.
  • External CA: If you have existing PKI infrastructure or wish to connect to a public CA (e.g. Let’s Encrypt, DigiCert, etc.) to issue TLS certificates, you should follow the documentation here to configure an External CA.
Note that if you’re looking to issue self-signed certificates, you can skip this step and proceed to Step 3.
2

Create a certificate template

Next, follow the guide here to create a certificate template.The certificate template will constrain what attributes may or may not be allowed in the request to issue a certificate. For example, you can specify that the requested common name must adhere to a specific format like *.acme.com and that the maximum TTL cannot exceed 1 year.If you’re looking to issue TLS server certificates, you should select the TLS Server Certificate option under the Template Preset dropdown.
3

Create a certificate profile

Next, follow the guide here to create a certificate profile that will be referenced when requesting a certificate.The certificate profile specifies which certificate template and issuing CA should be used to validate an incoming certificate request and issue a certificate; it also specifies the enrollment method for how certificates can be requested against this profile to begin with.You should specify the certificate template from Step 2, the issuing CA from Step 1, and the ACME option in the Enrollment Method dropdown when creating the certificate profile.
4

Request a certificate

Finally, follow the guide here to request a certificate against the certificate profile using an ACME client.The ACME client will connect to Infisical’s ACME server at the ACME Directory URL and authenticate using the EAB Key Identifier (KID) and EAB Secret credentials as part of the ACME protocol.The typical ACME workflow looks likes this:
  • The ACME client creates (or reuses) an ACME account with Infisical using EAB credentials.
  • The ACME client creates an order for one or more DNS names.
  • For each DNS name, the ACME client receives an HTTP-01 challenge and provisions the corresponding token response at /.well-known/acme-challenge/<token>.
  • Once all authorizations are valid, the ACME client finalizes the order by sending a CSR to Infisical.
  • Infisical issues the certificate from the issuing CA on the certificate profile and returns it (plus the chain) back to the ACME client.
ACME clients typically handle renewal by tracking certificate expiration and completing the lifecycle once again to request a new certificate.
We recommend reading more about the ACME protocol here.